What Is a umask? Default Permissions for New Files
A umask is a setting that determines which permission bits are removed from newly created files and directories by default.
When a program creates a file, it requests a set of permissions, but the umask masks some of them off. The umask is why a new file usually is not world-writable even if the creating program asked for broad permissions. In CI, the umask quietly shapes the permissions of files your build produces.
What a umask is
The umask is a per-process setting that subtracts permission bits from the mode a program requests when creating a file. A common umask of 022 removes write permission for group and others.
How the math works
A file is typically requested with mode 666 and a directory with 777. The umask is subtracted: with umask 022, files become 644 and directories 755. The umask never adds permissions, only removes them.
Viewing and setting it
umaskwith no arguments prints the current value.umask 077makes new files private to the owner.- The change applies to the current shell and its children.
umask versus chmod
chmod changes an existing file's permissions; umask changes the defaults for files yet to be created. They work together: umask sets the baseline, chmod adjusts individual files afterward.
umask in CI
The runner's umask determines default permissions of generated files and artifacts. A surprisingly permissive umask can leave secrets or outputs more open than intended, while a strict one can make shared files unreadable to a following step.
Sensible defaults on managed runners
On Latchkey runners, the default umask gives reasonable file permissions for build outputs. When a step writes sensitive files, set a tighter umask (like 077) or chmod them afterward to keep them private.
Key takeaways
- A umask removes permission bits from newly created files by default.
- With umask 022, new files become 644 and directories 755.
- In CI, the umask shapes the permissions of generated files and artifacts.